- 19.09.2008: NSP-SEC Conference - Rotterdam, Netherlands
- 18.09.2008: Geographically Identifying SSH Brute Force Attacks
- 17.09.2008: GOVCERT.NL Conference - Rotterdam, Netherlands
- 16.09.2008: GOVCERT.NL Conference - Rotterdam, Netherlands
- 12.09.2008: Internet Security Operations and Intelligence (ISOI5) Conference - Tallin, Estonia
- 11.09.2008: Internet Security Operations and Intelligence (ISOI5) Conference - Tallin, Estonia
- 06.09.2008: Atrivo/InterCage - Malware Haven
- 05.09.2008: Shadowserver Bot Count Charts
- 13.08.2008: Georgian Attacks: Remember Estonia?
- 12.08.2008: Georgian Websites Under Attack - Don't Believe the Hype
- 11.08.2008: See below.
- 20.07.2008: The Website for the President of Georgia Under Attack - Politically Motivated?
- 18.07.2008: SQL Injection List Format Update
- 05.07.2008: SQL Injection, Redirects and Drive-By Downloads, Oh My...
Monday, 11 August 2008
Georgian Websites Under Attack - DDoS and Defacement
The Attacks Resume
Last month we had reported on a crippling distributed denial of service (DDoS) attack against Georgian President Mikheil Saakashvili's website. Shortly after the blog the command and control (C&C) server used to issue these attacks was taken offline. We have not seen the C&C come back to attack any other websites. In fact we had not seen any other C&C servers taking aim at Georgian websites since that blog until last Friday (August 8, 2008). The date appears to coincide with military movement that has since escalated into fighting between the two countries. Since August 8 we have witnessed multiple C&C servers attacking websites that are Georgian or sympathetic to the country.
Some of the first targets we saw once again involved the Georgian government. The website for the President (www.president.gov.ge) and the website for the Parliament of Georgia (www.parliament.ge) were both targeted. However, the attacks were not limited to just government websites. We have witnessed at least six different C&C servers attacking various websites that are not government sites. In some cases the various C&C servers were and still are attacking the same websites. The following websites have come under attack in the past few days:
www.president.gov.ge www.parliament.ge apsny.ge news.ge tbilisiweb.info newsgeorgia.ru os-inform.com www.kasparov.ru hacking.ge mk.ru newstula.info skandaly.ru
One will notice that not all of these are Georgian websites. However, it is interesting to see that the same groups involved with targeting various Russian media outlets have also been taking aim at various Georgian websites. Additionally, the website of Garry Kasparov has once again come under attack. Arbor Networks previously commented on an attack aimed at his site last December.
More Than Just DDoS
As the title of the blog alludes too, these attacks have expanded beyond just denial of service attacks. At the time of this writing the websites for the Georgian Pariliament has been defaced by a group claiming to be from South Ossetia. On the website the attackers have inserted a large image made up of several smaller side-by-side images of pictures of both the Georgian President and Adolf Hitler. It has been reported that the President's website had also been defaced with the same message a few days ago. However, Shadowserver did not witness this particular defacement.
Edit: (08-11-2008 9:10 PM EDT): We have since removed a screen shot of the defaced page as we do not want to glorify the group behind it. At this time the page is still defaced and can be viewed. However, we would caution against visiting the site as it may still be under control of the attackers.
Some of the attacked websites have remained online and have not really made any changes to do so. However, others have not been so lucky. A few of the websites have temporarily changed their IP to 127.0.0.1 throughout the day in an attempt to thwart the attacks. A few others have also changed hosts. It has been reported by several media outlets that the President of Georgia's website has since moved to Georgia..in the United States (no this is not a joke). This appears to be accurate as it is currently being housed on the IP address 188.8.131.52, which is provided by the web hosting company Tulip Systems of Atlanta, GA.
While this flurry of activity appears to coincide with recent events involving Russia and Georgia, we do not have solid information surrounding the who and the why. We have no reason to think the government is involved and can only speculate that it could be a grass root effort by the attackers. What is clear is that there are groups that are looking to keep Georgian websites offline.
=>Posted August 11, 2008, at 02:20 PM by Steven Adair